Cyber Attacks - A View Through The SIEM Looking Glass - Part 1

Cyber Attacks - A View Through The SIEM Looking Glass - Part 1

David Buerckner - Nov 29, 2017

This is a two part article about the visibility a SIEM solution can provide of cyber-attacks. Part 1 provides an overview of what SIEM is, and how it works both on-premise, and with servers hosted in AWS and Azure cloud environments. Part 2 discusses some of the interesting observations that were made while running honeypot exercises in the public cloud.

What is SIEM?

Security Incident and Event Monitoring - it’s quite a mouthful, and the systems can cover a lot of different security services. They can include vulnerability scanning, syslog checking, availability monitoring, and security incident alerting. And the multiple products are fundamental to a SIEM solution, as it is used to aggregate and correlate security data from multiple sources.
The best way to explain SIEM simply, is in comparison to a firewall, which most people have some familiarity with.

In layman’s terms, a firewall is like the security guard at the entrance to a department store. The security guard has some rules to follow about people entering and leaving the store. And the security guard’s job is just to follow those rules. These days, with Next Generation Firewalls, it is more like a security guard that also has access to a smartphone, but fundamentally, the firewall’s focus is on the main entrance of the store, and rules to be followed on entrance and departure.

In addition to a security guard, a department store might also have a store detective or two. The store detective’s job is to roam around the store and look for suspicious behavior. If someone moved from one corner of the store to the opposite corner of the store, and then went to the checkout and only bought a packet of Life Savers, the store detective might view that as suspicious. Similarly, if a customer moved from one staff entrance to the next and tried each door to see if it was open, the store detective would take notice of that behavior. A SIEM is the store detective.
The SIEM takes information from various sources over a period of time, and correlates that information to alarms based on risk. For example, a high number of failed logon’s from different sources over a 10 minute period won’t generate any activity from the firewall. But a SIEM can recognize something is suspicious, raise an alarm, and trigger a response.

Observing the Internal Network with SIEM

The SIEM gathers information using two methods: agents installed on devices that report back to the SIEM system, and observing internal network traffic. Observing the network traffic utilises port mirroring, which involves a copy of the network traffic being forwarded to the SIEM, without causing any impact to normal network operations. This can be done in both physical networks and virtualised environments such as VMWare.
Typically, the SIEM solution will be placed near the firewall at the Internet perimeter, but it is also possible to monitor from multiple locations using remote sensors.

Observing the network in this way allows for alarms to be triggered by risky user behavior, without agents being installed on every device. For example, the firewall may block access to know phishing sites. But the SIEM can enhance this by providing alarms on attempted access to such sites that may indicate compromised systems within your network. A Medium alarm could be triggered by more that 20 attempted connections from different network devices to a phishing site. But 500 attempts could generate a High level alarm for immediate action.

What About Systems in Public Cloud

The most significant difference with SIEM in a public cloud environment is that it is limited to agent based monitoring. There is no ability to perform port mirroring in an Azure, AWS of Google environment the way there is for physical networks, or VMWare, Hyper-V or RHEV virtualised environments. However the use of agents alone in these systems can still be very powerful (more on this in Part 2).

Public cloud servers have a HIDS agent installed, and connect back to the SIEM server which might be located on premise as a physical or virtual server, or even hosted in the public cloud. The capability to monitor, alarm and report is no different to an on-premise server.

What Will a SIEM Solution Tell Me?

Essentially, a SIEM solution highlights areas of risk in your network, or that it has already been compromised. Part 2 goes into specific examples, but in the tests we recently conducted, SIEM monitoring highlighted bruteforce attacks starting within 10 minutes of a server being publicly accessible, levels of compromise within hours, and exploits occurring within a day. The SIEM provides the visibility of this, so you can then make business decisions on how to respond.